ClawHub

Ai Video Editor Holi

Security checks across malware telemetry and agentic risk

Overview

This cloud video-editing skill is purpose-aligned, but users should understand that media and edit prompts are sent to NemoVideo for processing.

Install this only if you are comfortable sending the videos, images, audio, prompts, and edit session details you provide to NemoVideo's cloud service. Avoid using it for confidential or highly personal media unless you understand the provider's privacy, retention, and account terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill invites activation through generic phrases like 'edit my raw video clips' and conversational catch-all wording without clearly scoping when the skill should engage. In an agent ecosystem, this can cause over-broad triggering on ordinary user requests, leading to unintended uploads, remote processing, or token-backed API actions without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The routing table sends 'Everything else' to the SSE chat/edit path, which is an especially broad default for a skill that can drive cloud-side editing behavior. This means ambiguous or unrelated prompts may be forwarded to a backend session, increasing the risk of unintended external data disclosure, accidental edits, or abuse of authenticated service actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that it handles editing on cloud GPUs, but it does not present a clear, upfront privacy warning that user media, prompts, and session data are transmitted to a third-party backend. For a media-editing skill handling potentially sensitive personal videos, this omission can undermine informed consent and expose users to unexpected sharing of personal content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal